Cyber Incident Victim: European Commission
Date:
Mar 2024
Location:
Belgium
Summary
The European Commission suffered a breach after attackers poisoned the open‑source scanner Trivy, using it to steal an AWS API key and infiltrate the Commission’s cloud environment. The attackers conducted reconnaissance, harvested secrets, and exfiltrated about 92 gigabytes of compressed data containing emails and personal details of staff from dozens of EU institutions. The data was later published online by the ShinyHunters group. The incident highlights how a compromised security tool can serve as a foothold for large‑scale data theft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On 19 March 2024 the European Commission’s automated security pipeline downloaded a compromised version of the open‑source vulnerability scanner Trivy after attackers had retained residual access to the trivy‑action repository following an earlier breach of Trivy’s GitHub repository in late February. The malicious version contained code that harvested an AWS API key when executed, granting the threat actors initial access to the Commission’s Amazon Web Services infrastructure. Using the stolen key, the attackers employed TruffleHog to search for additional secrets, attached a newly created access key to an existing user to evade detection, and then enumerated IAM users and roles, EC2 instances, Lambda functions, RDS databases, S3 buckets, and Route 53 hosted zones, with a focus on ECS clusters to map task definitions for direct container access and bulk exfiltration from AWS Secrets Manager. The Commission’s Cybersecurity Operations Centre did not detect the anomalous activity until 24 March, when alerts flagged potential misuse of Amazon APIs and an abnormal increase in network traffic. The incident was publicly disclosed by the Commission on 27 March, and one day later the ShinyHunters gang published the stolen dataset on their dark web leak site.
The exfiltrated data amounted to approximately 92 GB of compressed information, which when uncompressed totals around 340 GB and comprises nearly 52 000 files of outbound email communications together with lists of names, usernames, and email addresses. The stolen data relates to websites hosted for up to 71 clients of the Europa.eu web hosting service, including 42 internal European Commission clients and at least 29 other EU entities, with specific agencies potentially affected such as the European Medicines Agency, the European Banking Authority, ENISA, and Frontex. The publication of the dataset by ShinyHunters exposed personal details and email contents of staff across dozens of EU institutions, highlighting the scale of the breach and the sensitivity of the information involved.
In response, CERT‑EU attributed the breach to the cybercrime group TeamPCP, which had exploited the supply chain compromise of Trivy, and noted the subsequent leak by ShinyHunters as a separate actor in the attack chain. CERT‑EU coordinated the incident response under the EU’s Cybersecurity Regulation and began analysing the published dataset to assess the full scope of the compromise. The European Commission’s Cybersecurity Operations Centre continued to monitor for further anomalous activity, and the remediation process for the 71 affected clients was initiated following the disclosure. The breach underscored the vulnerability of open‑source security tools in the supply chain and prompted ongoing investigation into the attackers’ methods and the extent of data exposure.